[Beta] Group Lock Feature Beta Open

What’s changing?

Admins can use group locking in Google Groups to prevent synchronization with external sources, such as identity providers.
For example, if an external system is the data source for a group, data synchronization from that source can overwrite changes made by group members in Google Workspace. Locking a group allows only selected administrators to make important changes. This feature is available as an open beta without additional sign-up.

You can find the “Locked” option in the Admin console under Groups > Group information > Group labels.

Getting started

Admins:
– Learn more about group locking and assigning specific administrator roles with conditions in the Help Center.
– Check out the developer documentation to learn how to manage locked groups with the Cloud Identity Groups API (Beta).

Important points!

If you use third-party tools such as Entra ID to manage group synchronization, you may experience consistency issues when making modifications such as adding or removing members. To address this, we are introducing the option to “lock” groups to prevent modifications within Google Workspace and maintain synchronization with external sources.

When a group is locked, only *specific administrators* can modify the following:
*Super Admins, Group Admins, and Custom Admins with “Manage Lock Label” privileges

Group name, description, email, and aliases
• Group labels
• Membership (adding or removing members) and membership restrictions
• Member roles
• Group deletion
• Setting new membership expiration

Even if a group is locked, access and content moderation settings are not affected, including the following:

Who can post
• Who can view members
• Who can contact members
• Member removal due to existing membership expiration
• Access or content moderation settings

Additional details
By default, the changes listed above are restricted from end users (including owners and managers of locked groups). To restrict changes from some administrators in the Admin console or API, you can assign a Group Editor role with a condition that excludes locked groups.

The permission to lock or unlock a group using the “Lock” label is granted to Super Admins, Group Admins, or custom roles with the “Manage Lock Label” privilege. You can lock a group using the “Lock” group label via the Admin console or the Cloud Identity Groups API.

Release information

• Rapid Release domains: Gradual rollout starting on December 10, 2024 (up to 15 days for feature visibility)
• Scheduled Release domains: Gradual rollout starting on December 10, 2024 (up to 15 days for feature visibility)

Availability

• Enterprise Standard and Plus
• Enterprise Essentials Plus
• Education Standard and Plus
• Cloud Identity Premium customers

Resources

• Google Workspace Admin Help: Maintain data synchronization with group locking (Beta)
• Google Workspace Admin Help: Administrator roles
• Google Workspace Admin Help: Assign specific administrator roles
• API documentation: Group labels
• API documentation: Role assignments

Note: This content is a translation of the Google English blog post from December 10th.